On 2013-11-02, Joe Pfeiffer <pfeif...@cs.nmsu.edu> wrote: >>> >>> Again -- isn't "basically equivalent to giving everyone uid=0." Permits >>> someone who *has* sudo access to avoid retyping a password. >> >> Not only that. Permits someone who already has sudo access to continue >> having such access indefinitely, ignoring being excluded from sudoers >> altogether. > > You made a specific claim, that sudo without patches is "basically > equivalent to giving everyone uid=0". You have yet to say anything that > even begins to substantiate that claim. >
How about this bug: http://www.sudo.ws/sudo/alerts/sudo_debug.html Impact: Successful exploitation of the bug will allow a user to run arbitrary commands as root. Exploitation of the bug does not require that the attacker be listed in the sudoers file. As such, we strongly suggest that affected sites upgrade from affected sudo versions as soon as possible. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnl7a6ss.2cf.cu...@einstein.electron.org
